CVE-2025-64164
BaseFortify
Publication date: 2025-11-06
Last updated on: 2025-11-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dataease | dataease | to 2.10.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in DataEase versions 2.10.14 and below involves improper filtering when establishing JDBC connections to Oracle databases, which leads to a risk of JNDI injection (Java Naming and Directory Interface injection). This means an attacker could potentially exploit the way DataEase handles these connections to execute malicious code or access unauthorized resources via JNDI.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to perform JNDI injection attacks, potentially leading to remote code execution or unauthorized access to sensitive data. This can compromise the confidentiality, integrity, and availability of the affected system and data.
What immediate steps should I take to mitigate this vulnerability?
Upgrade DataEase to version 2.10.15 or later, as this version fixes the JNDI injection vulnerability.